The use of Internet of Things (IoT) sensors has exploded in popularity in recent years as cheap, effective IoT sensors make it possible to connect devices that do everything from regulating smart home features to monitoring health and fitness using wearable devices.
IoT sensors also are increasingly making their way into business use-cases. In the industrial IoT, sensors are used in many different contexts, including to control and monitor machinery and to regulate core infrastructure systems.
IoT device and sensor usage has accelerated even more with advances in 5G connectivity and the shift to remote work, says Willi Nelson, chief information security officer for Operational Technologies at Fortinet, a cybersecurity firm. In fact, the number of IoT devices in use is projected to nearly triple to 29 billion in 2030 compared to 9.7 billion today, according to data from Statista.
Yet as IoT adoption increases, IoT sensors and devices also are becoming more popular targets for cybercriminals.
"They remain a prime target of cybercriminals as a fast path to gain access to enterprise networks," says Nelson. Fortinet found 93% of companies using IoT sensors in some capacity had one or more cybersecurity intrusions in the past year. A full 78% had experienced three or more, and these attacks increasingly are targeting industrial IoT operations, too.
That is because IoT is a fundamentally different technology than existing systems—a technology with plenty of attack surfaces. Each sensor and device connected to an IoT network presents a possible security risk, opening up an attack vector into an individual or company's hardware, software, and/or data.
In theory, IoT security standards are supposed to mitigate cybersecurity risks by encouraging companies to follow best security practices when designing and deploying IoT sensors and devices.
However, in practice, the standards available to manufacturers and companies using IoT technology do not always offer sufficient protection, are not always designed specifically for IoT, and are not always followed.
Despite the vulnerability of IoT devices, quite shockingly, there is no single standard for IoT security.
IoT sensors carry a variety of unique risks because they are connected to larger sensitive networks. Medical IoT devices handle sensitive and often legally protected patient and hospital data. Industrial IoT sensors connect to other critical manufacturing equipment. IoT sensors in energy offer a gateway into critical private and public power infrastructures.
One prominent example is the damage caused by the malware named "Mirai" in 2016. Mirai infected computers and devices, which in turn targeted IoT devices and sensors. Once infected, IoT devices were used to temporarily take down many popular websites, including Twitter, Netflix, and Airbnb.
In IoT, a standard is a document providing rules and guidelines for some aspect of an IoT device's manufacturing, functioning, and/or usage. These standards are developed by dozens of highly credible organizations within the industry, including major players such as the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), the European Telecommunications Standards Institute (ETSI), and the Institute of Electrical and Electronic Engineers (IEEE).
By following established, credible security standards, companies making and using IoT sensors can have a high degree of confidence their technology uses the best security features and practices.
There are plenty of security standards that IoT devices can—or should—follow. Some are related to how IoT devices use networks and transmit data. Some are related to the underlying technologies IoT devices rely upon (such as Wi-Fi). Others offer comprehensive guidance on how to create and use IoT devices in a secure way.
One well-known IoT standard is ISO/IEC 30141. According to the ISO, 30141 "provides a standardized IoT Reference Architecture using a common vocabulary, reusable designs, and industry best practices."
Another standard, TS 103645 from ETSI, a European-focused organization, aims to create a security baseline for Web-connected devices, including guidelines for password usage, software updates, and user data standards for consumer IoT devices.
In another example, the U.S. National Institute of Standards and Technology (NIST) has created a list of six prescribed security characteristics that manufacturers should incorporate into IoT devices. The list includes security features such as device identification, device configuration features, data protection features, logical access to interfaces, adequate software and firmware updates, and adequate cybersecurity event logging.
There are dozens of organizations that publish helpful standards to guide IoT manufacturers and device customers on how to design, manufacture, and use IoT sensors and sensor-enabled devices in the safest way possible. However, the diversity of organizations and standards also presents problems.
Some standards organizations may aim to publish universal standards across different IoT technologies, while others may only publish standards for certain countries or devices and technologies. While these organizations are usually highly credible and undergo rigorous processes to ensure their standards are comprehensive, many such standards are not legally binding.
This means there is no single standard out there for IoT security.
In addition, existing standards are not always designed for the unique risks IoT technologies face, says Izzat Alsmadi, a computer science professor at Texas A&M University in San Antonio, who does work on IoT security. Existing standards may not adequately apply to significant numbers of IoT sensors, he explained, and some IoT devices and networks use proprietary technology that does not follow more widely accepted or used industry standards.
Existing standards are not always designed for the unique risks that IoT technologies face.
"Today's IoT standards are relevant, but not enough and in some cases not up to date or not up to security challenges," says Alsmadi. That's because some of today's existing security mechanisms were initially designed for desktop computers and are difficult to implement on resource-constrained IoT devices, he says.
There also is the problem of compliance. Standards are often voluntary—and many companies do not adhere to them due to business pressures.
"Currently, the IoT segment sacrifices security due to resource allocation and price," says Marion Marincat, founder and CEO of Mumbli, an IoT company. It is often faster and cheaper to limit security options in order to get to market, he says. As such, the standards for IoT mainly end up being adopted by the companies with deep-enough pockets and wide-enough competitive moats to afford to implement better security in their devices.
"Although there are a lot of methods to design low-cost devices with security in mind, business decisions usually push back the implementation for these solutions in order to speed up the route to market or reduce the price of devices even further," says Marincat.
The issues with IoT sensor standards have larger implications for the overall security of the Internet of Things.
"The Internet of Things is very vulnerable in comparison with other categories of information systems," says Alsmadi, because so many IoT applications are publicly visible and can be remotely controlled.
These vulnerabilities become even more pronounced as the adoption of IoT grows, especially as the industrial Internet of Things becomes a growing attack vector.
"The biggest change in operational technology systems over the past decade is that they have recently become more vulnerable to attacks from the outside as they are moving away from isolated, air-gapped environments and embracing more automation and digitally connected devices and systems," says Fortinet's Nelson.
Industrial IoT devices often run on hardware with little or no management interface and often are not able to be upgraded in the field. Physically, IoT devices in industrial use-cases frequently are installed in hard-to-reach or publicly inaccessible places (such as on top of a building). As such, they must be able to operate unattended for long periods and be resistant to physical tampering, he says.
"An attack on industrial IoT, especially on a device or system used to monitor critical operations and processes, can have a very significant impact on not only the business itself but also on the environment, even on the health and safety of staff and the public at large," Nelson says.
Marincat advocates rolling out minimum standards to broad categories of IoT devices, but acknowledges many manufacturers will still see complying with such standards as a luxury in a competitive marketplace.
However, even with smarter standards approaches, making security updates to combined IoT software/hardware can be slower and more complicated than bug fixes and security updates for software alone.
One possible fix is having companies adopt smarter risk-mitigation policies in how they use IoT devices, says Nelson. Companies should consider employing a zero-trust access (ZTA) model that verifies users and devices before every application session.
"Zero-trust access confirms that users and devices meet the organization's policy to access that application and dramatically improves the organization's overall risk posture," he says.
Nelson also recommends companies use micro-segmentation in their networks. This approach segments and isolates attack surfaces into specific zones. Data flows are then controlled into these zones. The result is companies can limit attacks to a small subset of the business, minimizing the chance bad actors move laterally through networks into other core business functions.
Even basic risk mitigation techniques can help. Other popular risk mitigation techniques employed by businesses include encrypting internet connections, using alternate networks in addition to primary ones, and investing in higher-quality (and more costly) devices from companies that have, in turn, invested in stronger IoT security.
Despite all this, however, the vast majority of organizations can still expect at least one cybersecurity attack attempt in a given year. Research from Fortinet found only 6% of organizations experienced no cybersecurity intrusions in 2022.
The vast majority of organizations can expect at least one cybersecurity attack attempt in a given year.
Putting better cybersecurity measures in place still requires proactive, voluntary compliance from companies—compliance that has not always been forthcoming in the past. While the need for speed may win markets, it is not going away as a major obstacle to safer IoT devices and networks.
That leaves experts skeptical about just how much of the problem can be solved by expanded standards—and how much is a result of human nature and incentives in the technology sector.
"We tend to rush and enjoy advances in technology, then deal with security problems later on or when they become serious," says Alsmadi.
2022 State of Operational Technology and Cybersecurity Report, Fortinet, Jun. 21, 2022, https://bit.ly/3G6HTDO
IoT Standards and Protocols Explained, Behrtech, https://behrtech.com/blog/iot-standards-and-protocols-explained
Number of IoT connected devices worldwide 2019–2021, with forecasts to 2030, Statista, Nov. 22, 2022, https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide
©2023 ACM 0001-0782/23/06
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from email@example.com or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2023 ACM, Inc.
No entries found